[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA adding translation issue

Posted on 2012-09-07
13
Medium Priority
?
1,107 Views
Last Modified: 2012-09-11
I added a new network on my Cisco ASA 5520, to an empty ethernet port.

I was trying to add a translation on my inside interface (my internal lan), so the two networks can talk to each other, and I get the following error:

"The Static Translation IP Address overlaps with the following IP Address Pool: - VPNPOOL1 10.10.7.100 - 10.10.7.254"

That pool is what I use for my remote access VPN (ipsec) clients, on this same ASA.

How do I get the translation in place, so I can get the networks to talk?

inside interface (10.10.0.0/16)
new network (192.168.0.1/24)

Thanks
0
Comment
Question by:Vjz1
  • 6
  • 5
  • 2
13 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 38376520
Hi,
ethernet ports are associated with interfaces ...
for example:
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.0.1 255.255.0.0
!
interface Ethernet0/2
 nameif new
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address

hope this helps
max
0
 

Author Comment

by:Vjz1
ID: 38376538
Max,

Your outline is exactly what I have.

The interfaces are configured.  What I'm trying to do, is create the translation, so that nodes on the inside interface, can talk back and fourth with the interface, new.

Am I missing something obvious?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38376566
The ASA is giving you the answer,
You have an address pool defined for VPN: VPNPOOL1 10.10.7.100 - 10.10.7.254

And you're trying to define a network translation to that 'new' interface: 10.10.0.0/16

10.10.0.0/16 = 10.10.0.0-10.10.255.255 So there's an overlap. With the VPN addresses which are terminated on the outside interface.
You can't have a network on the inside interface and a part of it on the outside, so the ASA will protest.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38376570
What you could do is use another (completely separate) range for the VPN pool.
0
 

Author Comment

by:Vjz1
ID: 38376592
Ok, but I already have 2 other static nats, for 2 other interfaces that I was previously using, and those work fine.  Perhaps I should show you what I'm looking at, please see attached file.
NAT.docx
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 38376662
hi,
then you have to exempt nat from inside to new interface, and then, should you need to originate traffic from new to inside, you need static and access-list commands.
That really depends on what policy you want to implement.

max
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38376759
Ok, if you don't mind, could you post a sanitized config? Perhaps we're overlooking something but I can't tell from the NAT.doc.
0
 

Author Comment

by:Vjz1
ID: 38376945
my config is terribly long, but here are the interfaces and nat's.  essentiall what I'm trying to do, is get interfaces 0/1 and 1/1 to talk to each other.  I thought it would just be the same as the static nat's i have below, which allows me to do this very thing, between my other interfaces.  I must be missing something, fridays....

!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address hostbosp.summitpartners.com 255.255.255.128
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address hostbosp.lan.priv 255.255.0.0 standby 10.10.0.251
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 25
 ip address hostbosp.dmz.priv 255.255.255.0 standby 10.100.10.253
!
interface GigabitEthernet0/3
 nameif WAN
 security-level 90
 ip address hostbosp.wan.priv 255.255.255.0 standby 10.250.10.252
!
interface Management0/0
 description LAN/STATE Failover Interface
!
interface GigabitEthernet1/0
 nameif VOIP
 security-level 95
 ip address 10.210.0.254 255.255.0.0
!
interface GigabitEthernet1/1
 nameif VIDEO
 security-level 15
 ip address 1.1.1.1 255.255.255.248   (this is a made up IP address for this post)
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address




nat (Inside) 0 access-list ACL_NoNat
nat (Inside) 1 BOSSUBNET.lan.priv 255.255.0.0
nat (DMZ) 0 access-list ACL_NoNat
nat (WAN) 1 BOSSUBNET.wan.priv 255.255.255.0
nat (VOIP) 0 access-list VOIP_nat0_outbound
nat (VOIP) 1 BOSSUBNET.voip.priv 255.255.0.0
nat (VIDEO) 1 BOSSUBNET.gcvideo.priv 255.255.255.248
static (Inside,DMZ) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0
static (Inside,WAN) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0
static (WAN,DMZ) BOSSUBNET.wan.priv BOSSUBNET.wan.priv netmask 255.255.255.0
static (Inside,Outside) bosprod01.lan.pub bosprod01.lan.priv netmask 255.255.255.255
static (Inside,Outside) bosservice1.lan.pub bosservice1.lan.priv netmask 255.255.255.255
static (WAN,DMZ) PALSUBNET.lan.priv PALSUBNET.lan.priv netmask 255.255.0.0
static (WAN,DMZ) PALSUBNET.dmz.priv PALSUBNET.dmz.priv netmask 255.255.255.0
static (WAN,DMZ) PALSUBNET.wan.priv PALSUBNET.wan.priv netmask 255.255.255.0
static (WAN,DMZ) LONSUBNET.lan.priv LONSUBNET.lan.priv netmask 255.255.0.0
static (WAN,DMZ) LONSUBNET.dmz.priv LONSUBNET.dmz.priv netmask 255.255.255.0
static (DMZ,Outside) bosftmg1-1.dmz.pub bosftmg1-1.dmz.priv netmask 255.255.255.255
static (Inside,Outside) boshub1.lan.pub boshub1.lan.priv netmask 255.255.255.255
static (DMZ,Outside) bosftmg1-2.dmz.pub bosftmg1-2.dmz.priv netmask 255.255.255.255
static (DMZ,Outside) xenwebbos.dmz.pub xenwebbos.dmz.priv netmask 255.255.255.255
static (DMZ,Outside) vmailbos1.dmz.pub vmailbos1.dmz.priv netmask 255.255.255.255
static (DMZ,Outside) ftabos.dmz.pub ftabos.dmz.priv netmask 255.255.255.255
static (WAN,DMZ) MUMSUBNET.lan.priv MUMSUBNET.lan.priv netmask 255.255.0.0
static (WAN,DMZ) MUMSUBNET.wan.priv MUMSUBNET.wan.priv netmask 255.255.255.0
static (VIDEO,Inside) BOSSUBNET.gcvideo.priv BOSSUBNET.gcvideo.priv netmask 255.255.255.248
static (VOIP,Inside) BOSSUBNET.voip.priv BOSSUBNET.voip.priv netmask 255.255.0.0
0
 

Author Comment

by:Vjz1
ID: 38377356
Does this message in the log help any?

portmap translation creation failed for icmp src Inside:10.10.2.6 dst VIDEO:1.1.1.2 (type 8, code 0)

was trying to ping a node on that network, and saw this in the streaming log.  the src is my pc.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38379896
Take a good look at the two that are working:
static (Inside,DMZ) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0
static (Inside,WAN) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0


Then have a look at the two you added:
static (VIDEO,Inside) BOSSUBNET.gcvideo.priv BOSSUBNET.gcvideo.priv netmask 255.255.255.248
static (VOIP,Inside) BOSSUBNET.voip.priv BOSSUBNET.voip.priv netmask 255.255.0.0


Try to to change these two to:
static (Inside,VIDEO) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0
static (Inside,VOIP) BOSSUBNET.lan.priv BOSSUBNET.lan.priv netmask 255.255.0.0


And see what happens.
0
 

Author Comment

by:Vjz1
ID: 38387017
That did it.  Thanks.  Can't believe I missed that.
0
 

Author Closing Comment

by:Vjz1
ID: 38387018
Thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38387030
My pleasure :) Thx 4 the points.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question